[ransomware.live] improvements

[yassine-ouaamou]

Following some tests after the improvements made by @sudesh0sudesh in this issue https://github.com/OpenCTI-Platform/connectors/issues/2351 , here are two other improvements I see:

• Use "related-to" relationship between an Individual and a Sector I have seen the following error in the ingestion: The relationship type part-of is not allowed between Individual and Sector
• Remove the victim's webpage URL from the external references (in reports for example)

[sudesh0sudesh]

@yassine-ouaamou sorry but i am creating it between organisation and sector

[sudesh0sudesh]

sorry, there is one place i used individual, will modify it 👍

[yassine-ouaamou]

Thanks @sudesh0sudesh! Why would you need to link an Individual with a Sector? Can you share with us an example, please?

[sudesh0sudesh]

Nope, it was a mistake, I was testing organisations with name less than two words, I should have replaced it in organisation.

[yassine-ouaamou]

I noticed that the connector ingests the full data each time: This is a blocking behaviour as it will impact the performance of the platform. Is it possible to implement an offset in order to fetch only the new data?

[sudesh0sudesh]

It will not be ingesting full data, it is limited to past 24 hrs. Sometimes, there may be an updated dataset with the same timestamp in the fields. I can adjust the capture window to be between the previous run and the current run, but this may cause some issues with certain reports.

[sudesh0sudesh]

On the other hand, they can decrease the frequency of ingestion

[yassine-ouaamou]

What could be the issues with the reports in the case you are describing?

[sudesh0sudesh]

Few of those are Wrong Country assignment, assignments to Wrong org.

[seanthegeek]

I'm also observed where the victim is linked to a part of Diplomacy when the sector field in ransomeware.live is blank and the victim has nothing to do with Diplomacy.

[seanthegeek]

It would be great to be able to turn off the generation of threat actors. I'm using intrusion sets exclusively instead of threat actors to keep things simple.

[sudesh0sudesh]

@seanthegeek will be looking at both of those, will priortise sector and will be making threat actors optional in future release

[seanthegeek]

@sudesh0sudesh Thanks. I just thought of other improvements for future releases:

• Add relationships between the intrusion sets and the tools used (Most of the tools exist in the MITRE dataset)
• Add the links provided in the ransomware.live group pages as external references in the intrusion sets
• Add a link to ransomeware.live group page to the external references of the intrusion set

[seanthegeek]

The ransomware.live does not currently provide the list of tools or YARA rules via the API. I'll contact them about that. The reference links are included in a list named profile though.